Tuesday, December 3, 2024
HomeCyber AttackHackers Use SIM Swapping Technique to Gain Access to Microsoft Azure Machines

Hackers Use SIM Swapping Technique to Gain Access to Microsoft Azure Machines

Published on

SIEM as a Service

Researchers uncovered a financially motivated threat group known as ‘UNC3944’ which employs phishing and SIM-swapping techniques to seize control of Microsoft Azure admin accounts. 

Enabling them to exploit Azure’s Serial Console on VMs for persistent installation of remote management software and covert surveillance through Azure Extensions.

UNC3944, an identified threat group, has been actively operating since May 2022, as reported by Mandiant. Their primary objective is to extract sensitive data from targeted organizations by leveraging the cloud computing service of Microsoft.

- Advertisement - SIEM as a Service

The notorious UNC3944 group, known for its malicious activities, was previously linked to the development of the following toolkits:-

  • STONESTOP loader
  • POORTRY kernel-mode driver 

While all these tools were specifically designed to disable security software, they were a significant threat to computer systems.

Initial Access

Here, to sign their kernel drivers, the threat actors have utilized stolen Microsoft hardware developer accounts through which they operated their proceedings.

For initial access, the threat actors primarily rely on the compromised credentials of administrators or other privileged accounts.

The attacker uses SMS phishing and SIM swapping to impersonate privileged users and deceive help desk agents into providing multi-factor reset codes. Still, Mandiant lacks sufficient data to identify the specifics of the SIM swapping technique.

Here below, we have mentioned all the extensions used by the attackers:-

  • Azure Network Watcher
  • Guest Agent Automatic Log Collection
  • VMSnapshot 
  • Guest configuration

Technical Analysis

UNC3944 employs Azure Extensions during the subsequent attack phase, employing covert surveillance and information-gathering techniques to camouflage their malicious activities as ordinary daily operations, effectively blending in with everyday activities.

Azure Extensions are additional features and services designed to enhance the functionality and automation of Azure VMs, offering an array of additional capabilities and task-automating options when integrated.

By being executed within the virtual machine and primarily utilized for legitimate intentions, these extensions possess an inherent stealthiness, making them appear less suspicious.

The threat actor exploited the inherent capabilities of Azure diagnostic extensions, specifically the “CollectGuestLogs” function, to gather log files from the compromised endpoint.

For direct administrative console access to virtual machines, UNC3944 leverages Azure Serial Console. This enables the threat actors to operate the serial port to execute commands via command prompt.

Mandiant’s observation reveals that the initial action taken by intruders is executing the “whoami” command to determine the active user and acquire essential data for advancing their exploitation tactics.

The threat actors employ PowerShell to bolster their presence on the virtual machine (VM) and deploy various remote administrator tools intentionally omitted from the report.

UNC3944 plans to establish a covert and continuous connection to their C2 server through a reverse SSH tunnel. This allows them to evade security measures by configuring port forwarding to enable direct access to an Azure VM via Remote Desktop.

Upon gaining unauthorized access to a target virtual machine (VM), the attacker creates a new process, specifically C:\Windows\System32\sacsess.exe, which subsequently triggers the execution of cmd.exe. 

Within the command prompt, the attacker executes the “whoami” command, revealing the username of the currently active user.

The rise of Living off the Land attacks, leveraging built-in tools to avoid detection, highlights the expanding threat landscape beyond the operating system layer, as demonstrated by attackers’ innovative utilization of the serial console.

Mandiant advises organizations to limit remote administration access and refrain from using SMS as a multifactor authentication option whenever feasible to enhance security measures. 

This recommendation aims to mitigate potential risks by reducing exposure to unauthorized access and enhancing authentication protocols.

Shut Down Phishing Attacks with Device Posture Security – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...